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(54) System and method for generating trusted, architecture specific, compiled versions of 
architecture neutral programs 

(57) A distributed computer system has a program 
compiling computer and a program executing computer. 
The program compiling computer is operated by a com- 
piling party and includes a compiler that, when the dig- 
ital signature of the originating party of an architecture 
neutral program has been verified, (A) compiles the 
architecture neutral program code of the architecture 
neutral program into architecture specific program code 
in the architecture specific language identified by the 
compile to information in the architecture neutral pro- 
gram, and (B) appends to the architecture specific pro- 
gram code a digital signature of the compiling party to 
generate an architecture specific program. The program 
executing computer is operated by an executing party 
and includes an architecture specific program executer 
that executes the architecture specific program code of 
the architecture specific program when the digital signa- 
ture of the originating party of the architecture neutral 
program has been verified, the digital signature of the 
compiling party of the architecture specific program has 
been verified, and the compiling party has been deter- 
mined to be a member of a defined set of trusted com- 
piling parties. 
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svste^ T r^TZ h 2 J** ^ t0 d,str,buted ^tems. and particularly to a program compilation 

system and method ,n wh.ch arch.tecture neutral executable programs are compiled by a trusted third partv insuch a 
way that recipients of the compiled program can verify the identity of the corresponding arS^reJSSl^Sm 
and can verify that it was compiled by the trusted third party. arcnnecture neutral program 

BACKGROUND OF THE INVENTION 

The term "architecture" is defined for the purposes of this document to mean the operating characteristics of a fern 

usino3oS or^o EXamP,eS t 0, arChitectures are: Ma -tosh computers'.BM PC 

usmg the DOS or Windows operatmg systems, SUN Microsystems computers running the Solaris operating system 

and computer systems using the Unix operating system. operanng system, 

The term "architecture neutral" is defined for the purposes of this document to refer to ability of certain proqrams 
such as programs wntten in the Java (a trademark of Sun Microsystems, Inc.) language to be exelS S a vaTeTof 
computer platforms using a number of different computer architectures . V 

The term "architecture specific" is defined for the purposes of this document to refer to the requirement that certain 
programs be executed only on computer platforms using a single computer architecture. For inaSnl^SertSd! oro 
grams wntten ,n the 80486 assemb.er language can only be executed on computers using <£m 
puter architecture (as well as in other computers that contain IBM PC compatible computer emulator^ 
ar a ^?°Z t architecture neutral P r °9 rams (ANPrograms) include the architecture independence of pro- 

grams wrrtten ,n the arch.tecture neutral language (ANLanguage). For example, Java bytecode programs can be exe 
cuted on any computer platform having a Java bytecode interpreter. An additional important feaUe SlvTbylecSe 
programs ,s that their integrity can be directly verified prior to execution by a Java opcode ve^er A Java E 

n^t ermineS Wh6,her Pre8n,m C ° nformS 40 Pred6,ined **** criteria "itaria indude operarS^S 
and data type usage restr.ct.ons that ensure that Java bytecode programs cannot overflow or underflow the execuS 
computers operand stack and that all program instructions utilize only data of known data types AsTresu^S 

th*e^S 

xne user nas explicitly granted it permission to use 

thanft woS? '^^^^ ^f^ 6 PrOQramS in an ANLan 9 uaae causes the ANProgram to run less efficiently 
Z * r ! T * advanta 9 e of architecture specific features. For exanple, Java bytecode programs executed 

SsPriTaSc^l^^ tyPi S' y ^ 2 5 10 5 timeS 35 S,0W 35 the arcLctureVecific p'CrS 

ASPrograms) compded .n corresponding architecture specific languages (ASUnguages). While a factor of f.Ve speed 

cS^1r^^ l S^■^ , ^ UnUSUa " y 900d 3,1 ANPr ° 9ram mKMr " e " -terpreter). it is a suf/SS 
guagT reqU ' re ° r mSISt UP ° n the ** r ** t0 USS «»*«l«it programs compiled in an ASLan- 

nmh^iT! 1 ^ ^ 080 Jf 01 "^ 6 an ^Program into an equivalent ASProgram can be written.. However they may be 
52f252 y f Pe l S,Ve ^ ^ US6r ,n additi ° n - the integrity <* ,he e ^ uh ' alent ^P"^ ASProgram cannibe ver 
SES^^^E* ASPr09ram ^ e «* an ANPro 9 ram ^ -rrfier. TfTus. in the .ale of Java byte^e 
moTvaTua^^^^ ,nt ° 6qUiVa,ent ASP ^ ra - POtentia-y results in the loss of one of the 

but wh^nn^Tplrf^?*^ (0f 16930 taSkS th3t ^ be Perf ° rmed h * ini ^ non-verifiable ASPrograms 
o^ranTsScl ar^Lt T V ,nte9nty V6rrfiab,e ANPr °9 rams - ^ '"dude tasks that would otherwise violate the 
T^rZ^t,J^t ^ , restnct,ons ""fx*"* °" the integrity verifiable ANPrograms. In addition, such 
to n«vl a T T mU .° h f3Ster than ANPr °9 rams - *» a re *"t- there are number of reasons why it is desir- 

SoUim olLZ7n V** T 81 is , desi9ned to P rimari, y execute '"tegrity verifiable ANPrograms but also has the 
capability of executing integrity non-verifiable ASPrograms. 

a , ♦Kf! 10 ^^" 31 - 0 ' 1 * ANPr °9 rams b y 3 third party is possible, such compilations require that the third party be 
authenticated. That .s. ,t must be possible to verify from the information in the compiled ASProgram that U was c2l2 

LSb " r'l Pa ll EV6n better ' * ShOU ' d alS ° bS P ° SSib,e 10 authenticate *-» *£onJE££Z£^ 
?£?T?? spe«f.c trusted compiler. And. since the integrity of the compiled ASProgram wZespect to predefined 
mtegnty critena cannot be directly verified, the compiled ASProgram should include information that in a verif iabTe ma^ 

tSSS^T"^" 0 f NPr ° 9ram ,r ° m "** * W3S * he which it was £ mpTed. 

user ^Ti£LtTr^ S <£ r 6 " 1 ' 0 " Pr ° Vde 3n ANPr °9 ram and compilation method that enables the 

ANPron 3 ! h « °™ 3 corres P ondin 9 ANProgram to authenticate the identify of who compiled the 

ANIProgram. the identity of the corresponding ANProgram. and the ASLanguage in which the ASProgramTaslom 

Embodiments of the present invention also provide an ANProgram executer and execution method that enables 
.ntegnty venf,ab<e ANPrograms being executed to call integrity non-ver«*ble ASP^s^,! ^^SEE 
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verifiable sources and compilation information so that essentially all legitimate tasks can be performed, while preventing 
from being called AS Programs whose sources, compilation information, and integrity cannot be verified. 

SUMMARY OF THE INVENTION 

5 

In summary, the present invention is a computer network that comprises a program compiling computer and a pro- 
gram executing computer. 

The program compiling computer is operated by a compiling party and includes storage that stores an architecture 
neutral program generated by an originating party. The architecture neutral program contains architecture neutral pro- 

w gram code and a digital signature of the originating party. The program compiling computer also includes a signature 
verifier that verifies the digital signature of the originating party to verify that signature of the originating party matches 
(i.e.. was generate using) the architecture neutral program to which it is attached. 

The program compiling computer further includes a compiler that, when the digital signature of the originating party 
has been verified compiles the architecture neutral program code into architecture specific program code in the archi- 

is tecture specific language identified by the compile to information. The compiler utilizes a signature generator to append 
to the architecture specific program code a digital signature of the compiler program, where the compiler signature 
signs a set of information that includes the compiled architecture specific program code plus the signature on the archi- 
tecture neutral program. In the preferred embodiment the compiler utilizes the signature generator to also appends to 
the architecture specific program code a digital signature of the compiling party, where compiling party signature signs 

20 a set of information that includes the compiled architecture specific program code, the signature on the architecture 
neutral program and the compiler signature. 

The program executing computer is operated by an executing party and includes storage that stores the architec- 
ture neutral and specific programs. It further includes a signature verifier that (A) verifies the digital signature of the orig- 
inating party in the architecture neutral program, and (B) verifies the digital signature of the compiler in the architecture 

25 specific program and/or verifies the digital signature of the compiling party in the architecture specific program. The 
term "verifies a signature" means that a procedure is performed to determine that the signature matches (i.e., was in 
fact generated from) the set of information allegedly signed by the signature. ^ 
The program executing computer also includes an architecture specific program executer that, when the digital sig- 
natures in the architecture specif ic program have been verified, executes the architecture specific program code of the 

30 architecture specific program. 

In the preferred embodiment, the architecture neutral program is embodied in an object that contains a digital sig- 
nature that includes a message digest uniquely associated with the architecture neutral program. The architecture spe- 
cific program generated by the compiler includes: 

35 • the compiled, architecture specific code; 

the digital signature of the corresponding architecture neutral program as signed by the party that provided the 
architecture neutral program; 

a digital signature by the compiler itself, including a message digest of the compiled program and information iden- 
tifying the compiler used to compile the program, and signed using the compiler's private encryption key; and 
40 • a digital signature by the trusted party performing the compilation, including a message digest of the compiled pro- 
gram and information identifying the trusted party, and signed using the compiling party's private encryption key. 

A generally available, trusted repository of public encryption keys, sometimes called a naming service, holds the 
public keys for the compiler and the trusted compiling party. Using these public encryption keys all recipients of the com- 
45 piled program can decrypt the digital signatures in the compiled program to verify that the compiled program was com- 
piled by the indicated trusted party and by the indicated compiler, and also to verify the identity of the corresponding 
architecture neutral program. Optionally, the recipient of the compiled program can use a program verifier to verify the 
proper operation of the corresponding architecture neutral program prior to executing the compiled architecture specific 
program. 

so • 
BRIEF DESCRIPTION OF THE DRAWINGS 

Examples of the invention will be described in conjunction with the drawings, in which: 

55 Fig. 1 is a block diagram of a distributed computer system incorporating a preferred embodiment of the present 
invention. 

Fig. 2 depicts the structure of an architecture neutral program in accordance with a preferred embodiment of the 
present invention. 
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^ImJ^ * rUC * Ur I ° f 8 C ° mpi,ed ' architecture **** P'03™ generated in accordance with a preferred 
embodiment of the present invention. 

.Sen 4 tion PiCtS aSSOCiated class in accordance with a preferred embodiment of the present 

DESCRIPTION OF THE PREFERRED EMBODIMENTS 

irn l^l'? 9 ^S - 1 ' th6re iS ShOWn 3 com P uter network 1 °° having many client computers 102, a server computer 
o^'^tLT^ / rePOSrt °; y 106 ^ CMent C ° mpUtere 102 are OTnec,ed to other and the server Smpu^e 
l^i IT k f y r ? POSrt0ry 106 via 3 network communications connection 108. The network communicator 
connection may be a local or wide area network, the Internet, a combination of such networks, or some other Seo* 
network communications connection. ype °' 

™ JTILTm 5 ' 1*1 CHent Computers 102 are deskt °P computers, such as Sun workstations. IBM compatible com- 
outers, and Maantosh computers, virtually any type of computer could be a client computer. Each of the^Sent £m- 

« ' 3 ^ inteffaCe 112 ' 3 mem0ry 114 ' and 3 network communications imerfate lieTe 
?oT a nHThTr n ^l° nS ,merfaCe the C,ienl l ° communicate with each other, the server computet 

104. and the trusted key repository 108 via the network communications connection 106 computer 

a^MPn"!?^ 1 U ° f e / acH „ Client com P uter 102 stores an °Pe^"9 system 1 18. a network communications man- 
ager 120 an ANProgram (arch.tecture neutral program) executer 122, an ASProgram (architecture specific program) 
executer 124. and ANProgram integrity verier 126. an ANProgram compiling preparer 128. a signatuS general 130 

s^ri^ TZl^^T" 9 in, ° rmati0n VSrifier 134 ' an ° b *« dass ^ 136. aTsHciresi 

space 138. a trusted object class reposrtory 140, an urrtrusted object class repository 142, and lists 144 of known 

trussed compH.ng parties and trusted compilers. The operating system is run on the CPU 1 1 0 and controls and coo^ 

nates running the programs 120-136 on the CPU in response to commands issued by a user with the user interne 

( . ^ Aerogram executer 122 of each client computer 102 executes ANPrograms in the object classes stored in 
the trusted and I untrusted object class repositories 140 and 142. Moreover, the ANPrograms are written* an AtZ^ 
STSi? *"* the ; S6r ^ 8B, * S8h Predefined in,e9rity eritete - as sta <* ^ data usage rSciions so mat 
Spmoram TrZT "T^? ■ ^ ^ ***** ° f *• ™ P ">*™ ^ be directly ver«i5 by !fe 

^ Thi^MP 9 Y I 26 P / ,0r t0 eX6CUti0n by determinin ° » the program satisfies the predefined integrity Le- 
na. These ANPrograms are therefore considered integrity verifiable ANPrograms 

™ J n ,£ e AMp ferred embodiment ' *» intearit y verifia ble ANPrograms are written in the Java bytecode language. More- 
Tl^ / 09 ^ ^ CUt6r 122 3nd thS ANPr °9 ram « 1» are respectively a Java bytecode program inter- 
, ^ eCOde Pr ° 9ram V6rifier that res P ectiv e'y execute and verify the Java bytecode programs The Jata 
bytecode verifier and interpreter are products of Sun Microsystems. Inc 

However, each client computer 102 has an associated specific architecture for which programs may be written in a 
correspond^ ASLanguage and executed by the ASProgram executer 122. The ASLanguage does not ZTe "that 
ASPrograms written in the ASLanguage satisfy the predefined integrity criteria of the ANLangua^ Z I the 
P J,TZ taSkS that 03,1,101 be performed b * me ANPrograms because they are not burdened by the 
SE?E£X^ T*?"" irte9rity Cfiteria ° f 1,16 Unfortunately, however, this also meanl 

rSrnon-ve!S ' * ANProflram inte 9 rit y verif ier 126 af * therefore considered integ- 

ASLa^ua^'^h^S "7^ " ANProgram runs ,ess than the same program compiled in an 

t^^hVT?" 8 C ° mpUter 102 WiSh 10 haVe a " ANPr °9™ compiled by the server conpu- 

hJth f 4 9U39e assoc,ated with ,he user ' s d 'ent computer so the compiled ASProgram can be executed 

124 ° ri me US6r Wish t0 have the ANProgram compiled^ the ASLanguages 
associated wrth other cl.ent computers if the compiled ASPrograms are going to be distributed and executed by the 
ASProgram executers 124 of other client computers. execuieo Dy tne 

Preparing an Architecture Neutral Program for Compiling 

th* c l!! errin9 t0 ? 9S , rt \ an , d 2 A Wh6n an oriaJnatina Party (OrigParty) wishes to have an ANProgram 200 compiled by . 
the server computer 104. the OrigParty issues a command wrth the user interface 1 12 to invoke the ANProgZ a>2 
p.l.ng preparer .1 28 and instruct it to prepare the ANProgram for compiling. The ANProgram may be h anSS cSss 
contained ,n one of the trusted or untrusted object class repositories 140 or 142 . TabteTcorrtains fpSudo^rSS 

SH^ c£S^^ ^ T ^ Pr09ram C ° mPi,in9 Pr6Parer 128 10 » e ANPrSSXi. £ % 

S2 , 1 ° 4 ,T he P seudocode used in Tables 1-3 uses universal computer language conventions WhSe 

the pseudocode employed here has been invented solely for the purposes of this description it is designed to be easily: 
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understandable by any computer programmer skilled in the art- 
Referring to Figs. 1 and 2 and Table 1, the ANProgram compiling preparer 128 first calls the ANProgram integrity 
verifier 126 and instructs it to verify the integrity of the ANProgram code 202 of the ANProgram 200. This is done to 
make sure that the ANProgram code satisfies the predefined integrity criteria of the ANLanguage prior to being sent to 
5 the server computer 104 for compiling. If the ANProgram code does not satisfy the predefined integrity criteria, the 
ANProgram integrity verifier sends back a failed result to the ANProgram compiling preparer. In response, the ANPro- 
gram compiling preparer aborts the compiling preparation procedure and generates an appropriate message indicating 
this. 

However, if the ANProgram code 202 does satisfy the predefined integrity criteria, then the ANProgram integrity 

io verifier 126 sends back a passed result to the ANProgram compiling preparer 128. The ANProgram compiling preparer 
then calls the signature generator 130 and instructs it to generate the OrigParty's digital signature (DigrtalSignature 0 p) 
210 that can be verified to ensure that the ANProgram 200 was generated by the trusted OrigParty. The signature gen- 
erator generates the DigitalSignature 0 p by first generating a message digest (MD OP ) 212 of the ANProgram code 202. 
It does this by computing a hash function, HashFunction OP on the data bits of the ANProgram code. The hash function 

15 used may be either a predetermined hash function or one selected by the OrigParty. For purposes of this document, 
the HashFunction OP corresponds to the OrigParty since it was used for the Digital Signatureop of the OrigParty. 

The signature generator 130 then encrypts the generated massage digest (MD OP ) 212 and the ID of the Hash- 
Function OP (HashFunction OP ID) 214 with the private encryption key of the OrigParty (OrigParty's PrivateKey). The sig- 
nature generator then adds the OrigParty's ID 216 in clear text at the end of the encrypted items 212 and 214 to form 

20 the DigitalSignatureop The OrigParty's PrivateKey and ID are provided by the OrigParty with the user interface 112. 

After the DigitalSignature OP 210 is generated, the ANProgram compiling preparer 128 appends it to the ANPro- 
gram code 202. Then, the ANProgram compiling preparer generates a message that the ANProgram 200 has been pre- 
pared for compiling by the server computer 104. 

The OrigParty then issues wrth the user interface 112 a command to the network communications manager 120 to 

25 transmit the ANProgram 200 to the server computer 1 04. along with arguments specifying the architecture specific lan- 
guage into which the program is to be compiled (ASLanguage ID) and the compiler to be used (Compiler ID): The netj- 
work communications manager retrieves the ANProgram from the. trusted or untrusted object class repository 1 40 or 
142 in which it is located and provides it to the network communications interface 1 16. The network communications; 
manager then instructs the network communications interface to transmit the ANProgram to the server computer along 

30 with the specific arguments. 

Compiling an Architecture Neutral Program 

The transmitted ANProgram 200 is then received at the server computer 104. The server computer includes a CPU 
35 150, a user interlace 152, a memory 154, and a network communications interface 156. The network communications 
interface enables the server computer to communicate with the client computers 102 and the trusted key repository 106 
via the network communications connection 108. 

The memory 1 54 of the server computer 1 04 stores an operating system 1 58, a network communications manager 
160, an ANProgram compiler 162, a signature verifier 164, an ANProgram integrity verifier 166, a signature generator 
40 168, an ANProgram repository 170. and an ASProgram repository 172. The operating system is run on the CPU 150 
and controls and coordinates running the programs 160-168 on the CPU in response to commands issued by a com- 
piling party (CompParty) with the user interface 152. 

The network communications interface 156 receives the ANProgram 200 and instructs the network communica- 
tions manager 160 that this has occurred. In response, network communications manager places the received ANPro- 
45 gram in the ANProgram repository 170. It the server 104 is set up as an automatic compiler service, this is done 
automatically by the network communications manager 160. Otherwise, the ANProgram is moved into repository 170 
by the network communications manager when the CompParty issues a command with the user interface. 

Then, either automatically, or upon the issuance of a command by the CompParty with the user interface 252, the 
ANProgram compiler 162 is invoked to compile the ANProgram 200. Table 2 contains a pseudocode representation of 
so the compilation procedure used by the ANProgram compiler to compile the ANProgram. 

Referring to Figs. 1-2 and Table 2. the ANProgram compiler 162 first calls the signature verifier 164 to verify the 
DigitalSignatureop 210 in the received ANProgram 200 so as to establish that the DigitalSignature 0 p 210 is actually the 
originating party's signature for the ANProgram (e.g., as opposed to being a forged signature or the OrigParty signature 
on some other version of the ANProgram). In particular, the signature verifier uses the QearText OrigParty's ID 216 in 
55 the received ANProgram to obtain the OrigParty's PublicKey from the trusted key repository 106. Then the signature 
verifier decrypts the encrypted MD OP 212 and HashFunction OP ID 214 in the DigitalSignature OP using the public 
encryption key of the OrigParty (OrigParty's PublicKey). 

Next, the signature verifier 164 generates a test message digest (TestMD 0 p), which should match the decrypted 
MD OP 212, by computing the corresponding HashFunction 0 p on the ANProgram code 202 of the received ANProgram 
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bfuJi ^1 S h 214 in thedecr yPted DigitalSignatureop is used to identify the proper HashFunction OP to 

^ d6Crypted MDop 8nd 96nerated TestMD OP « t^n compared to verify the D^italSign a ture OP 2 T 0 
If the MDqp 212 and the TestMD OP do not match, then the signature verifier 162 sends back a failed result to the 

ZSrSgl 162 reSP ° nSe ' ANPr09ram ^ ^ the ™™> P™»*" and geSatS an 

r^,?^ th tHfSp hand ' * 1,16 MDoP 3nd the TestMD op do match, then the signature verifier 162 sends back a passed 
S^££T W - G ° n, ? aar 162 th6 ANPr °9 ram «"P"» calls the ANProgram integrity vSeMeH 
2M ^k!T^ T" 1 mte9r,ty V6rifier ,0 V6rify *" inte9rity of the ANProgram code 202 of the Seived ANProgtam 

an? V ame T 6r 8nd for purpOSe as described earlier in section discuSp^ 

panng the ANProgram for comp.hng. Thus, if the ANProgram code does not satisfy the predefined integrity cS the 
ANProgram integrity verifier sends back a failed resuft to the ANProgram compi J. In ^k^SmS^S^ 
p.ler aborts the compiling procedure and generates an appropriate message indicating this ANPro 9 ram 

th^r^P rf ANPr ° 9ram 202 <* » e receive d ANProgram 200 does satisfy the predefined integrity criteria 
then the ANProgram integrity verifier 1 66 sends back a passed result to the ANProgram compiler 1 62 Th^ANProoTam 
comp.ler then .compiles the ANProgram code into the ASLanguage identified by L ASLanguage .D speeded by *e 

£r? ^ 9 ^ *° RgS - 1 " 3 and Tab ' e 2 ' the COmpiler P' aces the ANProgram code 202 the DigSntl 

210 and the compHed ASProgram code 302 in an ASProgram 300 that is stored in the ASProg an SSSjST* 
The ANProgram compi.er 162 then calls the signature generator 168 and instructs it to generated ANPrMram 
cooler's d.g.ta. signature (DigitalSignature c ) 320 which can be verified to ensure that the ASPrcW 3 0 S wasTm 
piled w,th the trusted ANProgram compi.er. This is done in a manner similar to that described earS TrgenvSnTZ 

* S U 2 ^ ~ S€t ° f in, ° rmati0n Si9nSd iS ASPr °9 ram «*• and the STC2 

S^25£?S5 e, slS £ : Jttt with , a r,? spondin9 HashFun « ion c 324 m ay be u S6 d to %n e L the 

Z ^.p MD C 322 of the set of rnformation to be signed by the DigitalSignature c . the private encryption key of 

m^u!ZZ COmP & (C °T Pi ^ S PriVateKey) iS US6d to 6nCrypt the M °c and HashFunctionc ID arX Wen 
tif.er of the ANPrograrn compter (Compiler's ID) is added in clear text at the end of the encrypted MD C and HashFunc- 
tion c . The Compiler s PrivateKey and ID are provided by the ANProgram compiler u c anq Masnhunc 

The ANProgram compiler 162 calls the signature generator 168 a second time to generate the CompPartVs dioital 
St r tt,i ; 9 12r tU p Cp) 312 " WhlCh ^ be Verifi6d by end USer * 10 ensure tha * ASP ogramToO was genS 

re fin SISST * * ^ 3 mBnner t£> ** d8SCribed ear,ier for aerating the DigS- 

nature OP (in the section discussing preparing an ANProgram for compiling). However here the messaae diaest fMD \ 

S^SSr^ iS 9enerat6d by a Predetermined or 

S2w& , thS ASPr °9 ram the DigitalSignatuer OP and the DigitalSignaturec- Similar to the 

HashFunct on OP for purposes of this disclosure, the HashFunctionc corresponds to the CompParty sfnceTwas usZ 
fortheDigrtalSignature CP of the CompParty. . M^riy since n was used 

^ifi 2h tT^ e < 9enerat0r 1 f th6n 6nCryPtS the MDcp 314 and the ID of ,ne HashFunction CP (HashFunction CP ID) 
3 * « J? en 5 rv P llon kev of the CompParty (CompParty's PrivateKey). The signature generator then adds the 
£2S£ ?°^tS t 00 ^^' 5 ,D > 318 in dear « a < *e end of the encrypted iterSs sTH^e to^m 
th^Digrtaiagnaturecp 31 2. The CompParty's PrivateKey and ID are provided by the CompParty with the user interfac^ 

s^e^s^f^^ 32 l a ^l he Di 9 ita,Si 9 nature cP 312 are generated, the ANProgram compiler 162 
c^neS t ASPr09ram 00 " 302 ' so »* the resultin 9 oompled ASProgram file or object has the following 



components in it: 

ANProgram Code. 
« DigitalSignature op 
ASProgram Code. 
DigitalSignaturec, and 
DigitalSignature CP 



Then, the ANProgram compiler generates a message that the ANProgram 200 has been compiled to form the ASPro- 
gram 300 and is ready to be sent to the OrigParty. "jmpuea to rorm tne AbKro 

p^kU 6 p°7 pParty then uses the network communications manager 160 to transmit the ASProgram 300 to the Oriq- 
Partys chent computer 102. The network communications manager does so by retrieving the ASProgram fram he 
ASProgram repository 1 72 in which it is located and provides it to the network communications interface^ 56 T^net 
SSSJSSSSZT ^ inStmCtS ^e to ^nT^Z^e 
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Object and Object Class Creation and Distribution 

The transmitted ASProgram 300 is then received by the communications interface 1 16 of the Orig Party's client 
computer and instructs the network communications manager 120 that this has occurred. In response, the OrigParty 

5 issues a command with the user interface 252 to instruct the network communications manager to retrieve the received 
ASProgram from the network communications interface, causing the network communications manager to place the 
received ASProgram in the untrusted object class repository 142 of the OrigParty's client computer. Once this is done, 
the OrigParty may treat the received ASProgram as a new object class with just one method (i.e. the compiled program 
code), or it may create an object class that includes the ASProgram 300 as well as other ANPrograms and ASPro- 

io grams. 

Fig. 4 shows a typical object class 400 in accordance with the present invention. The object class may include one 
or more ASPrograms 402 and/or one or more ANPrograms 404 t as well as a virtual function table 41 0. For each ASPro- 
gram, the virtual function table contains a corresponding identifier (native_ASProgram ID) 412 that indicates that it is 
an ASProgram (i.e., a native program) that is not in the ANLanguage and a corresponding pointer (Ptr) 414 to the native 

75 program. Similarly, for each ANProgram, the virtual function table contains a corresponding identifier (ANProgram ID) 
416 and a corresponding pointer 41 8 to the ANProgram. Every object 420 of this object class includes an object header 
422 that points to the object class 400. 

Thus, the OrigParty may create an object 420 and an object class 400 with the ASProgram 300 that was received 
from the server computer 104 as one of the ASPrograms 402 in the object class. 

20 When the OrigParty wishes to distribute to various ExecuteParties an object and object class that includes the 
ASProgram 300 and ANProgram, then the OrigParty issues a command with the user interface 1 12 to instruct the net- 
work communications manager to transmit these items to the client computer 102 of the ExecuteParties. The network 
communications manager does this by retrieving them from the untrusted object class repository 142 in which they are 
located and provides them to the network communications interface 116 with appropriate transmission instructions. 

25 Alternately, the network communications manager of the OrigParty may respond to a request initiated by an Exe- 
cuteParty for a copy of a specified object class 400. \ 

Execution of Architecture Neutral Programs and Architecture Specific Programs in an Object Class 

30 The network communications interface 156 of the client computer 102 receives the transmitted object and object 
class and instructs the network communications manager 160 that this has occurred. In response, the ExecuteParty 
issues a command with the user interface 1 1 2 to instruct the network communications manager to retrieve the received 
object and object class from the network communications interface. The network communications manager then stores 
the received object and object class in the untrusted object class repository 1 42. 

35 The untrusted object class repository 142 of each client computer 102 contains the objects and their associated 
object classes that are not trusted. These object classes are not trusted because any ANPrograms they include have 
not yet had their integrity verified and any ASPrograms they include have not had their source verified nor have been 
verified as being compiled from the proper ANProgram. 

The trusted object class repository 140 of each client computer contains the objects and their object classes that 

40 are trusted. These object classes are trusted because any ANPrograms they include may have already had their integ- 
rity verified by the ANProgram integrity verifier 136 and any ASPrograms they contain have been ascertained to be 
trustworthy. In fact, some or all the object classes in the trusted object class repository 140 need not have digital signa- 
tures, because these object classes are trusted and therefore there is no reason to perform integrity checks on the 
methods in these object classes. 

45 It is desirable to have an object class that primarily includes ANPrograms but may also include ASPrograms so that 

essentially all legitimate tasks can be performed with the object class, as suggested earlier. Therefore, the ANProgram 
executer 122 is capable of executing integrity verifiable ANPrograms and calling the ASProgram executer to execute 
integrity non-verifiable ASPrograms that are either (1) in trusted object classes in the trusted object class repository 
140, or (2) that are in untrusted object classes in the untrusted object class repository 142 and have verifiable Digital- 

so Signature OP Digital Signature CP and Digital Signature c information so that essentially all legitimate tasks can be per- 
formed. In this way, ASPrograms of untrusted object classes that don't have Digital Signature^ DigitalSignaturecp and 
Dig*rtalSignature c information or whose digital signatures cannot be verified are prevented from being executed. Table 
3 contains a pseudocode representation of the execution procedure used by the ANProgram executer. 

Referring to Figs. 1-4 and Table 3. at the client computer 102 of an ExecuteParty (e.g.. the OrigParty or another — 

55 party), the ANProgram executer 124 may be executing an ANProgram that seeks to call a method in a specified "object 
class. The method call is initially handled by the object class loader 136, which determines whether or not the object 
class has already been loaded. If the object class has already been loaded into the ExecuteParty's user address space 
138. then the ANProgram executer 122 executes the called method if the called method is an ANProgram and the 
ASProgram executer 124 executes the called method if the called method is an ASProgram. 
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rJOZT"'*!?? C ' aSS h3S not yet been loaded int0 «» ExecuteParty's address space 138 then the obiect 
^ofiS^^^lT 2° ? e ExeCUterPart ^ address space and defences vvhe^or not 
™»« ° be all ° wed - For ,nstance . » the object class was loaded from the trusted obiect class 

^m^^ — meth0d iS " and otherwise caHs'the 

However, if the object class was loaded from the untrusted object class repository 1 42 the class loader 136 e«,m 

^e^T^ t0 determine " itS °»** dass inc,udes an^SPrograms U d^ X deterSng 
if there any nat.ve_ASProgram IDs in the virtual function table of the object determining 

Jli h ?K e a ? n ° AS , P ! >9raniS in 1,16 046(51 C,ass - 1hen the dass loader 1 36 calls the ANProgram integrity verifier 1 36 
to verify the integrrty of the ANPrograms in the object dass. This is done in the same ^nne^uTS^To^t 

ear " er fof Verifyin9 ,hG in,6grity 01 me ANP ^am 200 (in the section discussing ££5 £555? 
gram). Thus rf the integrity of any of the ANPrograms is not verified, then the ANProgram integrity SSJSSte te* 
to the class loader a failed result and the class loader aborts the class loading procedure and general an 2r^S2 

SESJ^^f * the ANPr ° 9ram integrity ver * ier sends ^ a p— ^^K-SE 

ANPrograms of the object class are ranted, the class loader enables execution of the called method 
th„ 1 ? are ASPrograms in tne <*ass, then the class loader 136 calls the signature verifier 132 to verHv 
diTnT , T & T D ,'f a,Si9nature c « nd the CompParty signature Digita<Signature C p If any of * • 1££Z£ 
fl^nd Vh If a ° ,grtalSl 9 nature cp and a Digita.Signature c . the integrity of the ASProgram's i^mSZ^- 
Srl^t^ 6 S ' 9 ? atUre V6fifier S6ndS baek to the ANPr °9ram executer a failed result. In re^se Jie dai 

TufheMf an 2? ° adin9 P T 6dUre ^ 9enerat6S 3n meSSage •« this "as^urr^ 

..S*^ a " of ,he , ASPrograms ,n the object class do include a DigitalSignature CP and a DigitalSignature. the 

SEE * "IS °° mp,tor 35 indiC3ted '" n thSSe *"» digital are oonSTSSfKlS 

, ?Jl ^° Wa trUSt6d Parti6S and lru8ted Compilers. If any of the ASProgramsTn *e oojeS da2 

? 3 ° r 3 «* ^ the set of known trusted Com^aTes 

ST?n *f "SS? PrOC6dUre * ab0rt6d - and € " 8cufion of the «** * hereby blockS S "mSaty1 

2iST^£E2? 10 ^ ASPr09rams does ** ™tch the ASUnguage used by the AS^cJ am Exe 
cuter 124, the class loading procedure is aborted. "m^mcac 

♦h- U 0 ^^ i a " °l the ASPro9rams in object class do include a DigitalSignature C p and a DigitalSignature. and 
the denied CompParty and Compiler for all the ASPrograms are trusted Compiler Parties and ComSers aSl^e 
££22? y a " T ASPr ° 9rams is one used bv ^e ASProgram Executer. then ^S^SitStel 
these signatures in a s.m.lar manner as was described earlier for verifying the DigitalSignaturlp fin thl^ndte 
cuss.ng comp,.,ng the ANProgram 200). However, in this case, the Compiler's and Con^Sty^s pubhc ZTs are 
retrieved from the trusted key repository 106 and respectively used to decVypt the MD C ar^^F^nSoZ Td Z fhe 
digest SS? T 6 10 in the ^^a-Si^naturecp 

digests (TestMD c and TestMD CP ) corresponding to the decrypted MD CP and MD r are Generated bv commrtinn h«h 
pts^g^ 

If the Digrtaiagnaturec and/or the DigitalSigna1ure CP is not verified (i.e.. MD C * TestMD c and/or MD CP * TestM- 
response, the class loader aborts the dass loadmg procedure and generates an appropriate message that this has 

t jS" e ^ r " " Di9italSi 9 na,ure c and the DigitalSignature CP are both verified (i.e MD<- = TestMDc and MD - 
- C JanZ ^7 ASP ^ ram ' the ANProgram executed again calls signage jL?£%£!?g£ 
O^ZtZ g T^ S ( ^TT 0 ^ <0r th6 ANPr °9 ra ^ from which the ASPrograms were compiled To verify Z 
S 9 «S7 9 a9natUreS - the D-gitalSignatureop of each is verified in the same manner as was discuss^ earifeHn 
the section concerning compilation of the ANProgram 200. u'^ussea earner in 

If the DigitalSignatureop of each of the ANPrograms from which the ASPrograms were compiled is verified then 

^Programs from which the ASPrograms were compiled. This is done in the same manner as was described ear 
If he ,n,egn«y of any of these ANPrograms is not verified, then the ANProgram integrity ZmJs^TtoZe 
class loader a failed result which aborts the dass loading procedure and generates an Appropriate meSage 

bJ re Z^JLTh" ? Pr09ramS " V6rtfied - the " *» ANPrograr^intinty veS^S sends 
back a passed result to the class loader 136. In response, the class loader invokes the ANProgram executer or ASPro 
gram executer to execute the called method, as appropriate ^rrogram executer or ASPro- 

'"/'^foll 6 foregoin9 - the ExecuterParty is assured that only those untrusted object dasses in the untrusted 
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Alternative Embodiments 

Some of the features of the invention described above are optional Thus, those skilled in the art will recognize that 
alternative embodiments exist that donl include these features. 

For example, the ANProgram compiler has been described as generating both a DigrtalSignature C p and a Digital- 
Signature respectively for the Comp Party and the ANProgram compiler. However, the ANProgram compiler could be 
constructed simply to generate only one of these digital signatures for enabling verification of the either the compiler 
used to compile the ASProgram or the compiling party. 

Similarly, the program executer has been described as requiring verification of both a Digrta1Stgnature CP and a 
DigrtalSignature C - However, the program executer could be constructed to require verification of only one of these dig- 
ital signatures and optionally verify the other digital signature if the ASProgram being verified includes it. Furthermore, 
the program executer could be constructed to skip the step of verifying the integrity of the ANProgram corresponding to 
each ASProgram, based on the assumption that the compiling party is trusted and that it is a duty of the compiling party 
to verify the integrity of each ANProgram that is compiles into an ASProgram prior to performing the. compilation. 

When the ExecuterParty is the OrigParty, the ExecuterParty knows that it actually sent the ANProgram 200 to the 
CompParty's server computer 104 to be compiled into the ASProgram 300. In this case, the class loader 136 coutd be 
constructed to not call the signature verifier to verify the DigtialSignatureop in the ANProgram. Rather, the Executer- 
Party can simply compare the DigtialSignatureop in the local copy of the ANProgram with the DigtialSignatureop in the 
compiled ASProgram. Additionally, the class loader could be constructed to not call the ANProgram integrity verifier 126 
to verify the integrity of the ANProgram corresponding to a called ASProgram since the integrity of the ANProgram 
would have, been checked during the preparation for compiling procedure prior to being sent to the compiling server 
computer. Alternatively, the ANProgram compiling preparer 128 could be constructed to not call the ANProgram integ- 
rity verifier during the preparation for compiling procedure since its integrity would be checked both by the compiler and 
when the class loader calls the ANProgram integrity verifier prior to execution of the corresponding ASProgram. 

TABLE 1 > 

Pseudocode Representation of Method of Preparing Architecture 
Neutral Program for Compiling 

Procedure: Prepare for Compiling (ANProgram code, OrigParty's PrivateKey, and 
OrigParty's ID) 
{ 

Verify integrity of ANProgram with ANProgram integrity verifier 
If failed result 

{ abort and generate failed result message } 
Generate MD OP = HashFunction OP (ANProgram code) 

Generate DigitalSignature OP = Encrypt (MD OP + HashFunction OP ID, OrigParty's 

PrivateKey) + ClearText (OrigParty's ID) 
Append DigitalSignature OP to ANProgram code 
Generate message that ANProgram is prepared for compiling 
Return 
} 
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TABLE 2 

Pseudocode Representation of Method of Compiling ANProgram and 
Generating ASProgram 

Procedure: Compile (ANProgram, CompParty's ID. ASLanguagetD, CompParty's 
PrivateKey, Compiler's ID, and Compiler's PrivateKey) 

Retrieve OrigParty's PublicKey from trusted key repository using ClearText 

OrigParty's ID in DigitalSignature op 
Decrypt (MD OP + HashFunction OP ID in DigitalSignatureop, OrigParty's 

PublicKey) 

Generate TestMD OP = HashFunction OP (ANProgram code) using 
HashFunction OP identified by decrypted HashFunction OP ID 

Compare decrypted MD OP and TestMD OP 

If decrypted MD OP * TestMD op 
{ 

/* DigitalSignature OP of OrigParty not verified */ 

Generate failed result message 

} 

Else 

{ 

/* DigitaISignature OP of OrigParty has been verified */ 

Verify integrity of ANProgram with ANProgram integrity verifier 

If failed result 

{ 

abort and generate failed result message 
} 

Else 

{ 

r ANProgram has been verified */ 

Compile ANProgram code into ASLanguage identified by 

ASLanguage ID to generate ASProgram code 
Generate MD C = HashFunction cs (ASProgram code + 

DigitalSignatureop) 
Generate DigitaISignature c = Encrypt (MD C + HashFunction c ID, 

ANProgrom Compiler's PrivateKey) + ClearText 

ANProgram Compiler's ID 
Generate MD CP = HashFunction cp (ASProgram code + 

DigitalSignatureop + DigitalSignature c ) 
Generate DigitalSignature CP = Encrypt (MD CP + HashFunction cp 

ID, CompParty's PrivateKey) + ClearText CompParty's ID 
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Generate and Return File or Object containing: 

ANProgram Code, 

DigitalSignature 0P> 

ASProgram Code, 

DigitalSignature c , and 

DigitaISignature CP 
I* ASProgram has been compiled and generated 
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TABLE 3 

Pseudocode Representation of Method of Executing 
Architecture Specific Program 

Procedure: Execute (ObjectClass, Program) 
{ 

If the Program is a verifiable program 

{ Execute Program using the Bytecode Interpreter } 
Else 

{ Execute Program using the compiled program executer } 

} 

Procedure: ClassLoad (ObjectClass, Program) 

{ 

If Object Class has already been loaded into ExecuterParty's address space 
{ 

Call Execute (ObjectClass, Program) 

Return 

} 

/* The Object Class has not been loaded */ 
Load Object Class into ExecuterParty's address space 
If Object Class was loaded from Trusted Object Class Repository 
{ 

Call Execute (ObjectClass, Program) 
Return 

} 

/* Object Class was loaded from Untrusted Object Class Repository */ 
If Object Class does not contain any ASPrograms designated as 

native_ASPrograms in Object Header of Object 

{ ....... 

Verify integrity of all ANPrograms of Object Class with ANProgram integrity 

verifier 
If failed result 

{ 

Abort with appropriate failed result message 
} 

Else 

r Integrity of all ANPrograms of Object Class have been verified 7 
{ Call Execute (ObjectClass, Program) } 
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Return 
} 

r Object Class does contain ASPrograms designated as native_ASPrograms in 

Object Header of Object */ 
If any ASProgram does not contain a DigitalSignaturecp and a DigitalSignature c 

{ 

/* Compiling Party and Compiler of every ASProgram cannot be verified */ 

Generate appropriate message 

Return 

} 

For each ASProgram in Object Class: 

{ Determine identity of CompParty and Compiler and determine 
ASLanguage used by ASProgram } 
If identity of CompParty for any ASProgram is not a known, trusted, Compiling 

Party, or the identity of Compiler is not a known, trusted Compiler, or the 

identified ASLanguage is not one used by the ASProgram Executer 

{ 

Generate appropriate message 

Return 

} 

For each ASProgram in Object Class: 
{ 

Retrieve CompParty's PublicKey from trusted key repository using ClearText 

CompParty's ID in DigitalSignature CP 
Decrypt (MD CP + HashFu notion^ ID in DigitalSignature CP , CompParty's 

PublicKey) 

Generate TestMD CP = HashFunction CP (ASProgram code + DigitalSignature ol 
+ DigitalSignature c in ASProgram) using HashFu notion^ identified by 
decrypted HashFunction CP ID 

Compare decrypted MD CP and TestMDcp 

} 

If decrypted MD CP * TestMD CP for any ASProgram 
{ 

/* DigitalSignature CP for every ASProgram has not been verified 7 

Generate appropriate failed result message 

Return 

} 

r DigitalSignature CP for every ASProgram has been verified*/ 
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For each ASProgram in Object Class: 
{ 

Retrieve ANProgram Compiler's PublicKey from trusted key repository using 

ClearText ANProgram Compiler's ID in DigitalSignature c 
Decrypt (MD C + HashFunction c ID in DigitalSignature c , ANProgram 

Compiler s PublicKey) 
Generate TestMD c = HashFunction c (ASProgram code + DigitalSignatureop) 

using HashFunction c identified by decrypted HashFunction c ID 
Compare decrypted MD C and TestMD c 
} 

If decrypted MD C * TestMD c for any ASProgram 
{ 

I* DigitalSignature c for every ASProgram in Object Class has not been 
verified */ 

Generate appropriate failed result message 
Return 
} 

r DigitalSignature c for every ASProgram in Object Class has been verified 7 
For each ANProgram from which an ASProgram in Object Class was compiled- 
{ 

Retrieve OrigParty's PublicKey from trusted key repository using ClearText 
3Q OrigParty's ID in DigitalSignature op 

Decrypt (MD op + HashFunction OP ID in DigitalSignature OPi OrigParty's 
PublicKey) 

Generate TestMD 0P = HashFunction OP (ANProgram code) using 
55 HashFunction OP identified by decrypted HashFunction OP ID 

Compare decrypted MD OP and TestMDop 
} 

If decrypted MD^ * TestMDop for any ANProgram 
{ 

r DigitalSignatureop for every ANProgram from which an ASProgram in 

Object Class was compiled not verified */ 
Generate failed result message 
Return 

> 

/* The DigitalSignature 0 p <" every ASProgram in Object Class is verified */ 
^ Verify integrity of ANPrograms in Object class and ANPrograms from which 

ASPrograms in Object Class were compiled with ANProgram integrity verifier 
If failed result 

{ 

55 
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Generate failed result message 

Return 

} 

P Integrity of all ANPrograms in Object class and all ANPrograms from which 

ASPrograms in Object Class were compiled have been verified */ 
Call Execute (ObjectClass, Program) 

} 



Claims 

1 . A computer network that comprises: 

a program compiling computer operated by a compiling party, the program compiling computer receiving an 
architecture neutral program generated by an originating party, the architecture neutral program containing 
architecture neutral program code and a digital signature of the originating party that when verified verifies that 
the architecture neutral program was signed by the originating party, the program compiling computer includ- 
ing; 

a signature verifier that verifies the originating party's digital signature; 

a compiler that generates an architecture specific program when the originating party's digital signature 
has been verified, the compiler generating the architecture specific program by (A) compiling the architec- 
ture neutral program code into architecture specific program code in an architecture specific language, and 
(B) appending a digital signature of the compiling party that when verified verifies that the architecture spe- 
cif ic program was generated by the compiling party; and 
a signature generator that generates the compiling party's digital signature; and 

a program executing computer operated by an executing party, the program executing computer receiving the 
architecture specific program and receiving or originating the architecture neutral program, the program exe- 
cuting computer including: 

a signature verifier that verifies the compiling party's digital signature; and 

an executer that executes program code that is in the architecture specific language, the executer execut- 
ing the architecture specific program code when the compiling party's signature has been verified and the 
compiling party is a member of a defined set of trusted compiling parties. 

2. A computer network as in claim 1 wherein: 

the signature generator generates a digital signature of the compiler that when verified verifies that the archi- 
tecture specific program was generated with the compiler; 

the compiler generating the architecture specific program further by appending to the architecture specific 
program code the compiler's digital signature; 

the executing computer's signature verifier verifies the compiler's digital signature; 

the executer executing the architecture specific program code only after the compiler's digital signature has 
been verified and the compiler is determined to be a member of a defined set of trusted compilers. 

3. A computer network as in claim 1 wherein: 

for the originating and compiling parties, said network includes corresponding private and public encryption 
keys and corresponding hash functions; 

the originating party's digital signature includes a message digest of the architecture neutral program gen- 
erated by performing the originating party's corresponding hash function on the architecture neutral program, the 
message digest of the architecture neutral program being encrypted with the originating party's corresponding pri- 
vate key; 
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the program compiling computers' signature verifier includes instructions for verifying the oriainatina nartv^ 
d-grta. s,gnature by (A) decrypting the message digest of the architecture n« pSSnSJCS^ 
party s public encryption key. (B) generating a corresponding test message digest of tta archJZ^ n L ro 
gram by performs the originating party's hash function on the architecture neulra. progiSSSSS SSS" 
.ng the decrypted message digest and the test message digest of the architecture neu^raTprogram (Q> ^ 

ttie s.gnature generator includes instructions for generating the compiling party's digital signature bv f Al 
generating a message digest of the architecture neutra. program oeneBJbyKwSS^ 

r eSf ?ST 9 ^ ,UnCti ° n ° n ^ archite <*"e specie program code, and &inc^ito£^JSZ 
the archrtecture specific program with the compiling party's corresponding private key and 9 

«ne program executing computer's signature verifier includes instructions for verifying the comoilina oartvs 
dig. a signature by (A, decrypting the message digest of the architecture specific program 
party s public encrypt.cn key. (B, generating a corresponding test message djest of the tchiteX T spSfTc ^ 

ZaTf tT 9 COmPi ' in9 h3Sh ,UnCti ° n °" the •*«•«»• specific program ££S (S^X 

-ng the decrypted message digest and the test message digest of the architecture specific program 

4. A computer network as in claim 1 wherein: 
ffc* th^n^T", r eCUti !! 9 COmPUter ,Ur,her indudeS 3n architec ^ neutral program integrity verifier that veri- 

tra, J^^^^T^ Pf09ram 0066 ° nly af,6r ^ int69rity ° f thS — 

5. A computer network as in claim 1 further comprising: 

pu^Ling: inatn9 ** *" pr °9 ram - program originating com- 

'^zs , ^^r B>m an ori9inatina ^ di9itai si9nature ^ is appended to the archi - 

E?/S , Z , ^ Wnpi,in ? C ° m ^ Uter communicatin 9 with the program originating computer to receive the architec- 
ure neutral program from the program originating computer and to provide the architecture specific program 
to the program originating computer; ^ program 

the program executing computer communicating with the program originating computer to receive the architec- 
ture neutral and specific programs from the program originating computer- 
the program executing computer's signature verifier also verifying the originating party's digital signature- 

-»o 6. A method of operating a computer network comprising the steps of: 
at a program compiling computer operated by a compiling party: 

iC?n? n arChit6 ^ re neutral pr °9 ram ^nerated by an originating party, the architecture neutral pro- 
gram conton.no archrtecture neutra. program code and a digital signature of the originating party that 
when venfted verrf.es that the architecture neutral program was signed by the originating party- 
verrfymg the originating party's digital signature; and 

ZTlh^h arChit . eCt t ure neutral pr °9 ram with a compiler so as to generate an architecture specific pro- 
?ho ™ , 7: a T rty ' S diQital SiQnatUre haS been verified ' and pending a digital Ignature of 
r 0 m P r g Sty-Lnr Wh6n ^ • rehto *"«P«* P- 9 -m was generated by the 

at a program executing computer operated by an executing party: 

Reiving the architecture specific program and receiving or originating the archrtecture neutral program- 
verifying the compiling party's digital signature; and program. 

c^mnS IT^T ^ ^ program *™ the "mpfirifl partes signature has been verified and the 
compiling party is determined to be a member of a defined set of trusted compiling parties 
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7. The method of claim 6, including: 

at the program compiling computer: 

generating a digital signature of the compiler that when verified verifies that the architecture specific pro- 
gram was generated with the compiler; and 

appending to the architecture specific program code the compilers digital signature: and 
at the program executing computer: 

verifying the compiler's digital signature; and 

executing the architecture specific program only after the compiler's digital signature has been verified and 
the compiler is determined to be a member of a defined set of trusted compilers. 

is 8. The method of claim 6, wherein 

for the originating and compiling parties, said network includes corresponding private and public encryption 
keys and corresponding hash functions; 

the originating party's digital signature includes a message digest of the architecture neutral program gen- 
erated by performing the originating part/s corresponding hash function on the architecture neutral program, the 
20 message digest of the architecture neutral program being encrypted with the originating party's corresponding pri- 

vate key; 

said method including the steps of: 



at the program compiling computer: 



25 



verifying the originating part/s digital signature by (A) decrypting the message digest of the architecture 
neutral program with the originating party's public encryption key. (B) generating a corresponding test 
message digest of the architecture neutral program by performing the originating party's hash function on 
the architecture neutral program code, and (C) comparing the decrypted message digest and the test mes- 
30 sage digest of the architecture neutral program; and 

generating the compiling party's digital signature by (A) generating a message digest of the architecture 
neutral program generated by performing the compiling party's corresponding hash function on the archi- 
tecture specific program code, and (B) encrypting the message digest of the architecture specific program 
with the compiling party's corresponding private key; and 



35 



at the program executing computer: 



verifying the compiling party's digital signature by (A) decrypting the message digest of the architecture 
specific program with the compiling party's public encryption key, (B) generating a corresponding test mes- 
40 sage digest of the architecture specific program by performing the compiling party's hash function on the 

architecture specific program code, and (C) comparing the decrypted message digest and the test mes- 
sage digest of the architecture specific program. 

9. The method of claim 6, including: 

45 

at the program executing computer: 

verifying the integrity of the architecture neutral program code by verifying that the architecture neutral pro- 
gram code satisfies predefined program integrity criteria; and 
50 executing the architecture specific program code only after the integrity of the architecture neutral program 

code has been verified. 

10. The method of claim 6, further including: 

55 at a program originating computer that provides the architecture neutral program: 

generating the originating party's digital signature and appending it to the architecture neutral program 
code; 
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at the program compiling computer; 

communicating with the program originating computer to receive the architecture neutral program from the 
program originating computer and to provide the architecture specific program to the program oriqinatina 
computer; y y 

at the program executing computer: 

communicating with the program originating computer to receive the architecture neutral and specific pro- 
grams from the program originating computer; 
verifying the originating party's digital signature; and 

executing the architecture specific program only after the originating party's digital signature has been ver- 
ified. 

15 11. The method of claim 6, including: 

at the program executing computer: 
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providing the architecture neutral program; 

generating an originating party's digital signature that signs said architecture neutral program and append- 
ing it to the architecture neutral program code; and 

at the program compiling computer: 

communicating with the program executing computer to receive the architecture neutral program from the 
program executing computer and to provide the architecture specific program to the program executina 
computer. y 

12. A system for distributing code stored on computer-readable media and executable by computers the code includ- 
ing a plurality of modules each configured to carry out at least one function to be executed by one of the computers 
the system comprising: 

a first module configured for use in conjunction with a program compiling computer, operated by a compiling 
party, that receives an architecture neutral program generated by an originating party, the architecture neutral 
program containing architecture neutral program code and a digital signature of the originating party that when 
verified verif.es that the architecture neutral program was signed by the originating party, the first module 
including; 

a signature verifier that verifies the originating party's digital signature; 

a compiler that generates an architecture specific program when the originating party's digital signature 
has been verified, the compiler generating the architecture specific program by (A) compiling the architec- 
ture neutral program code into architecture specific program code in an architecture specific language, and 
(B) appending a digital signature of the compiling party that when verified verifies that the architecture'spe- 
cif ic program was generated by the compiling party; and 

a signature generator that generates the compiling party's digital signature; and 

a second module for use in conjunction with a program executing computer, operated by an executing party, 
that receives the architecture specific program and receives or originates the architecture neutral program the 
second module including: 

a signature verifier that verifies the compiling party's digital signature; and 

an executer that executes program code that is in the architecture specific language, the executer execut- 
ing the architecture specific program code when the compiling party's signature has been verified and it 
has been determined that compiling party is a member of a defined set of trusted compiling parties. 

13. A system as in claim 12 wherein: 

the signature generator generates a digital signature of the compiler that when verified verifies that the archi- 
tecture specif ic program was generated with the compiler; 

the first module appends to the architecture specific program code the compiler's digital signature; 
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the second module's signature verifier verifies the compiler's digital signature; 

the second module's executer executes the architecture specific program code only after the compiler's dig- 
ital signature has been verified and it has been determined that compiler is a member of a defined set of trusted 
compilers. 

5 

14. A system as in claim 12 wherein: 

for the originating and compiling parties, said system includes corresponding private and public encryption 
keys and corresponding hash functions; 

the originating party's digital signature includes a message digest of the architecture neutral program gen- 
jo erated by performing the originating party's corresponding hash function on the architecture neutral program, the 
message digest of the architecture neutral program being encrypted with the originating party's corresponding pri- 
vate key; 

the first module's signature verifier includes instructions for verifying the originating party's digital signature 
by (A) decrypting the message digest of the architecture neutral program with the originating party's public encryp- 
15 tion key, (B) generating a corresponding test message digest of the architecture neutral program by performing the 
originating party's hash function on the architecture neutral program code, and (C) comparing the decrypted mes- 
sage digest and the test message digest of the architecture neutral program; 

the first module s signature generator includes instructions for generating the compiling party's digital signa- 
ture by (A) generating a message digest of the architecture neutral program generated by performing the compiling 
20 party's corresponding hash function on the architecture specific program code, and (B) encrypting the message 
digest of the architecture specific program with the compiling party's corresponding private key; and 

the second module's signature verifier includes instructions for verifying the compiling party's digital signa- 
ture by (A) decrypting the message digest of the architecture specific program with the compiling party's public 
encryption key, (B) generating a corresponding test message digest of the architecture specific program by per- 
25 forming the compiling party's hash function on the architecture specific program code, and (C) comparing the 
decrypted message digest and the test message digest of the architecture specific program. 
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